If the attacker guesses wrong, the session won’t be found in the session
store and a new session will be generated. This is exactly the same
case as when a user uses a session ID that is old and has been deleted
from the session store by your session store clean up process.

Do you just want to track when a session ID is invalid, or do you want
to stop the generation of new sessions?

is there a way that, our application can understand wheteher the session
id sent from the browser is forged or created by rails? I understand
that if the attacker guesses session id, theres nothing we can do about
it; but can we understand if he/she is trying to guess by creating
random session ids.